Plateforme
rust
Composant
lemmy_routes
Corrigé dans
0.19.17
0.19.16
CVE-2026-29178 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the lemmy_routes component of Lemmy. This vulnerability allows an unauthenticated attacker to inject arbitrary query parameters into internal requests made by the pict-rs library, potentially enabling them to fetch sensitive data from internal resources or external URLs. The vulnerability impacts Lemmy versions before 0.19.16, and a patch has been released to address the issue.
The SSRF vulnerability in Lemmy allows attackers to bypass security controls and make requests to internal or external resources as if they were originating from the Lemmy server. By injecting the proxy parameter into the file_type query parameter of the /api/v4/image/{filename} endpoint, an attacker can force Lemmy to fetch arbitrary URLs. This could lead to the exposure of sensitive internal data, such as configuration files or database credentials, or even allow an attacker to interact with other internal services. The blast radius extends to any internal resources accessible from the Lemmy server, potentially compromising the entire infrastructure.
This vulnerability was publicly disclosed on 2026-03-04. Currently, there are no known active campaigns exploiting this specific CVE. No public proof-of-concept (POC) code has been released, but the SSRF nature of the vulnerability makes it relatively easy to exploit. The vulnerability is not currently listed on the CISA KEV catalog.
Lemmy instances running versions prior to 0.19.16 are at risk. This includes self-hosted instances, as well as those hosted on shared infrastructure where the server environment might be less controlled. Instances that expose internal services accessible via HTTP are particularly vulnerable.
• linux / server:
journalctl -u lemmy -f | grep "proxy="• generic web:
curl -I http://your-lemmy-instance/api/v4/image/test.jpg?file_type=image/png&proxy=http://example.comdisclosure
Statut de l'Exploit
EPSS
0.05% (percentile 17%)
CISA SSVC
The primary mitigation for CVE-2026-29178 is to upgrade Lemmy to version 0.19.16 or later, which includes a fix for the vulnerability. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file_type parameters with the proxy parameter. Additionally, review and restrict network access for the Lemmy server to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access an external URL via the vulnerable endpoint and verifying that the request is blocked or handled securely.
Mettez à jour Lemmy à la version 0.19.16 ou supérieure. Cette version corrige la vulnérabilité SSRF dans le point de terminaison image en validant correctement les paramètres de requête. La mise à jour empêche les attaquants d'injecter des paramètres arbitraires dans les requêtes internes à pict-rs.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-29178 is a Server-Side Request Forgery vulnerability in the Lemmy lemmy_routes component, allowing attackers to make requests to internal or external resources as the Lemmy server.
You are affected if you are running Lemmy versions prior to 0.19.16. Upgrade to the latest version to mitigate the risk.
Upgrade Lemmy to version 0.19.16 or later. As a temporary workaround, implement a WAF rule to block suspicious file_type parameters.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Refer to the Lemmy project's official security advisories and release notes for details: [https://github.com/LemmyNet/lemmy/releases](https://github.com/LemmyNet/lemmy/releases)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Cargo.lock et nous te dirons instantanément si tu es affecté.